Security Operations Fundamentals > [T2]: Lab - Microsoft Sentinel SIEM - How to investigate an incident

How to investigate an incident

Note: This lesson cannot be applied in the provided Azure environment due to Azure Data Retention period of 90 days. However, the lesson is still valuable for teaching you the methodology and the steps taken to investigate an incident in a SIEM.

To investigate the incident (click on Incidents), select the one from the screenshot below, change Unassigned to your account, change the Status to Active, and click on "View full details".

Figure - zoom in


The incident pane will give you more insights and details about the incident.

Figure - zoom in


Click on investigate. You will explore a connected graph that represents the incident details:

Figure - zoom in


You will notice that Windows 10 is under brute force attack by two suspicious IP addresses (Entities).

As an analyst, one of your tasks is to analyze these suspicious entities. Copy this IP address 80.66.76.145 and analyze it with VirusTotal.

You will notice that the information security community has already flagged the IP address as malicious.

Figure - zoom in

Figure - zoom in


If you use another online analysis service, such as Open Threat Exchange (OTX), you will notice that the IP address is flagged as malicious by many sources.

Figure - zoom in


Analysts will document the performed activities in the comment section.

Figure - zoom in


The final step is to close the incident.

The analyst will change the status to Closed, select the incident classification and close the incident.

Figure - zoom in


Additional Resources:

← Prev Dashboard Next →